libceph: fix a use after free issue in osdmap_set_max_osd

If the state variable is krealloced successfully, map->osd_state will be freed, once following two reallocation failed, and exit the function without resetting map->osd_state, map->osd_state become a wild pointer. fix it by resetting them after krealloc successfully. Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
author: Li RongQing <roy.qing.li@gmail.com> 2014-09-07 06:10:51 -0400
committer: Ilya Dryomov <idryomov@redhat.com> 2014-10-14 13:03:21 -0400
commit: 589506f1e7f135943bcd34903bcdcf1fdaf00549 (patch)
tree: e592366a1c1d59e8ca1085fd13a06ebc506420d1 /net/ceph
parent: dc220db03f15c9875aa09c36beba582f20c76be1 (diff)
1 files changed, 16 insertions, 16 deletions
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index c547e46084d3..ec4d9e24dcf9 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -671,26 +671,26 @@ static int osdmap_set_max_osd(struct ceph_osdmap *map, int max)
        int i;
        state = krealloc(map->osd_state, max*sizeof(*state), GFP_NOFS);
+        if (!state)
+                return -ENOMEM;
+        map->osd_state = state;
        weight = krealloc(map->osd_weight, max*sizeof(*weight), GFP_NOFS);
-        addr = krealloc(map->osd_addr, max*sizeof(*addr), GFP_NOFS);
+        if (!weight)
-        if (!state || !weight || !addr) {
+                return -ENOMEM;
-                kfree(state);
+        map->osd_weight = weight;
-                kfree(weight);
-                kfree(addr);
+        addr = krealloc(map->osd_addr, max*sizeof(*addr), GFP_NOFS);
+        if (!addr)
                return -ENOMEM;
-        }
+        map->osd_addr = addr;
        for (i = map->max_osd; i < max; i++) {
-                state[i] = 0;
+                map->osd_state[i] = 0;
-                weight[i] = CEPH_OSD_OUT;
+                map->osd_weight[i] = CEPH_OSD_OUT;
-                memset(addr + i, 0, sizeof(*addr));
+                memset(map->osd_addr + i, 0, sizeof(*map->osd_addr));
        }
-        map->osd_state = state;
-        map->osd_weight = weight;
-        map->osd_addr = addr;
        if (map->osd_primary_affinity) {
                u32 *affinity;
@@ -698,11 +698,11 @@ static int osdmap_set_max_osd(struct ceph_osdmap *map, int max)
                                    max*sizeof(*affinity), GFP_NOFS);
                if (!affinity)
                        return -ENOMEM;
+                map->osd_primary_affinity = affinity;
                for (i = map->max_osd; i < max; i++)
-                        affinity[i] = CEPH_OSD_DEFAULT_PRIMARY_AFFINITY;
+                        map->osd_primary_affinity[i] =
+                            CEPH_OSD_DEFAULT_PRIMARY_AFFINITY;
-                map->osd_primary_affinity = affinity;
        }
        map->max_osd = max;
author	Li RongQing <roy.qing.li@gmail.com>	2014-09-07 06:10:51 -0400
committer	Ilya Dryomov <idryomov@redhat.com>	2014-10-14 13:03:21 -0400
commit	589506f1e7f135943bcd34903bcdcf1fdaf00549 (patch)
tree	e592366a1c1d59e8ca1085fd13a06ebc506420d1 /net/ceph
parent	dc220db03f15c9875aa09c36beba582f20c76be1 (diff)

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index c547e46084d3..ec4d9e24dcf9 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c
@@ -671,26 +671,26 @@ static int osdmap_set_max_osd(struct ceph_osdmap *map, int max)
671	int i;	671	int i;
672		672
673	state = krealloc(map->osd_state, maxsizeof(state), GFP_NOFS);	673	state = krealloc(map->osd_state, maxsizeof(state), GFP_NOFS);
		674	if (!state)
		675	return -ENOMEM;
		676	map->osd_state = state;
		677
674	weight = krealloc(map->osd_weight, maxsizeof(weight), GFP_NOFS);	678	weight = krealloc(map->osd_weight, maxsizeof(weight), GFP_NOFS);
675	addr = krealloc(map->osd_addr, maxsizeof(addr), GFP_NOFS);	679	if (!weight)
676	if (!state \|\| !weight \|\| !addr) {	680	return -ENOMEM;
677	kfree(state);	681	map->osd_weight = weight;
678	kfree(weight);
679	kfree(addr);
680		682
		683	addr = krealloc(map->osd_addr, maxsizeof(addr), GFP_NOFS);
		684	if (!addr)
681	return -ENOMEM;	685	return -ENOMEM;
682	}	686	map->osd_addr = addr;
683		687
684	for (i = map->max_osd; i < max; i++) {	688	for (i = map->max_osd; i < max; i++) {
685	state[i] = 0;	689	map->osd_state[i] = 0;
686	weight[i] = CEPH_OSD_OUT;	690	map->osd_weight[i] = CEPH_OSD_OUT;
687	memset(addr + i, 0, sizeof(*addr));	691	memset(map->osd_addr + i, 0, sizeof(*map->osd_addr));
688	}	692	}
689		693
690	map->osd_state = state;
691	map->osd_weight = weight;
692	map->osd_addr = addr;
693
694	if (map->osd_primary_affinity) {	694	if (map->osd_primary_affinity) {
695	u32 *affinity;	695	u32 *affinity;
696		696
@@ -698,11 +698,11 @@ static int osdmap_set_max_osd(struct ceph_osdmap *map, int max)
698	maxsizeof(affinity), GFP_NOFS);	698	maxsizeof(affinity), GFP_NOFS);
699	if (!affinity)	699	if (!affinity)
700	return -ENOMEM;	700	return -ENOMEM;
		701	map->osd_primary_affinity = affinity;
701		702
702	for (i = map->max_osd; i < max; i++)	703	for (i = map->max_osd; i < max; i++)
703	affinity[i] = CEPH_OSD_DEFAULT_PRIMARY_AFFINITY;	704	map->osd_primary_affinity[i] =
704		705	CEPH_OSD_DEFAULT_PRIMARY_AFFINITY;
705	map->osd_primary_affinity = affinity;
706	}	706	}
707		707
708	map->max_osd = max;	708	map->max_osd = max;